Yahoo Not Worried About Hackers Exploiting Old User IDs

By

Published June 20, 2013

| Reuters

advertisement

SAN FRANCISCO – Yahoo Inc on Wednesday downplayed concerns that its plans to recycle inactive user IDs could leave users exposed to hackers, saying only 7 percent of those IDs are tied to actual Yahoo email accounts.

The Internet company, which announced last week it would release user IDs that have been inactive for more than 12 months so that other people can claim them, was pressed to defend the plan after critics warned that hackers who take control of inactive accounts could also assume the identities of the accounts' previous owners.

Yahoo hopes the plan will spark fresh interest in its Web products like Mail, where users prefer individualized user IDs often derived from common names. But criticism of the plan comes at a time when fears over the security of personal information on the Internet have been heightened by revelations of massive U.S. government snooping and international online crime.

Yahoo stressed that it has put in place various safeguards, such as coordinating with other major Web companies including Google Inc and Amazon Inc to minimize the risk of identity theft.

The possibility of identity theft is "something we are aware of and we've gone through a bunch of different steps to mitigate that concern," said Dylan Casey, a senior director for consumer platforms. "We put a lot of thought, a lot of resources dedicated to this project."

Critics say hackers could claim inactive accounts for identity theft. If a Yahoo email is associated with a Google account, for instance, an identity thief with access to the Yahoo email account could use it to reset the Google account password and assume control.

Mat Honan, a Wired magazine writer who has previously written about being the victim of a devastating hacker attack, on Wednesday slammed Yahoo's plan as a "spectacularly bad idea."

"This is going to lead to a social engineering gold rush come mid-July," Honan wrote, referring to hacker tactic of obtaining passwords by deceiving people rather than cracking codes.

But Casey said that the vast majority of inactive accounts were more limited, used for services such as Yahoo's Fantasy Sports that are not tied to an email address and therefore not susceptible to identity theft.

Yahoo will also unsubscribe its inactive email accounts from mailing lists so that their new owners will not receive unwanted mail, Casey said.

"Can I tell you with 100 percent certainty that it's absolutely impossible for anything to happen? No. But we're going to extraordinary lengths to ensure that nothing bad happens to our users," Casey said.

Since the company announced its plans on June 12, users have 30 days to claim their inactive accounts before they are released, Yahoo said.